b'                            Office of the Inspector General\n\n\nSeptember 22, 2000\n\nWilliam A. Halter\nDeputy Commissioner\n of Social Security\n\nInspector General\n\n\nManagement Advisory Report - State Fiscal Year 1997 Single Audit Findings: Roll-up\nReport (A-07-99-84007)\n\n\nThe attached final Management Advisory report presents the results of our review. Our\nobjective was to identify areas of internal control weaknesses reported in State\nDisability Determination Services financial audits covering State Fiscal Year 1997.\n\nPlease comment within 60 days from the date of this memorandum on corrective action\ntaken or planned on each recommendation. If you wish to discuss the final report,\nplease call me or have your staff contact Steven L. Schaeffer, Assistant Inspector\nGeneral for Audit, at (410) 965-9700.\n\n\n\n\n                                              James G. Huse, Jr.\n\nAttachment\n\x0c           OFFICE OF\n\n    THE INSPECTOR GENERAL\n\n\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n\n\n    STATE FISCAL YEAR 1997\n    SINGLE AUDIT FINDINGS:\n       ROLL-UP REPORT\n\n September 2000   A-07-99-84007\n\n\n\n\n  MANAGEMENT\n\nADVISORY REPORT\n\n\x0c                    EXECUTIVE SUMMARY\n\n\nOBJECTIVE\nThe objective of this management advisory report was to identify areas of internal\ncontrol weaknesses reported in State Disability Determination Services (DDS) financial\naudits covering State Fiscal Year (SFY) 1997. To accomplish our objective, we\ncompiled and categorized DDS findings reported for 14 States in their SFY 1997 single\naudits. 1 We also included findings reported by the Social Security Administration (SSA),\nOffice of the Inspector General (OIG) in its administrative cost audits at the California,\nDelaware, and Missouri DDSs.2\n\nBACKGROUND\nSingle Audit Act\n\nThe Single Audit Act of 1984 established requirements for audits of States, local\ngovernments, and Indian tribal governments administering Federal financial assistance\nprograms. To implement the requirements, the Office of Management and\nBudget (OMB) issued Circular A-128, \xe2\x80\x9cAudits of State and Local Governments.\xe2\x80\x9d\nCircular A-128 required State and local governments receiving more than $100,000 per\nyear in Federal financial assistance to have an annual financial and compliance audit.\nIn 1990, OMB extended the single audit process to non-profit organizations by issuing\nCircular A-133, \xe2\x80\x9cAudits of Institutions of Higher Education and Other Non-Profit\nOrganizations.\xe2\x80\x9d\n\nOn July 5, 1996, the President signed the Single Audit Act Amendments of 1996.3 The\nAmendments extended the statutory audit requirement to non-profit organizations and\nrevised various provisions of the 1984 Act including raising the Federal financial\nassistance dollar threshold for requiring an audit from $100,000 to $300,000. On\nJune 30, 1997, OMB issued revised Circular A-133, \xe2\x80\x9cAudits of States, Local\nGovernments, and Non-Profit Organizations\xe2\x80\x9d to implement the 1996 amendments and\nrescinded Circular A-128.\n\nThe revised Circular A-133 was effective July 1, 1996, and applies to audits of\nfiscal years beginning after June 30, 1996. This circular requires nonfederal entities\n\n1\n The SFY begins on July 1 and ends on June 30, except for New York, which begins on April 1 and ends\non March 31, while Alabama and Arkansas begin on October 1 and end on September 30.\n2\nThe California, Delaware, and Missouri OIG audits covered all or part of SFY 1997 DDS operations.\n3\n The Amendments and revised Circular A-133 apply to all SFY 1997 single audits except the single audit\nof New York. The Single Audit Act and Circular A-128 apply to New York for the period covered by the\naudit.\n\n\n                                                   i\n\x0cthat expend $300,000 or more per year in Federal awards to have a single or program-\nspecific audit conducted for that year.\n\nState Disability Determination Services\n\nSSA is responsible for the policies on developing disability claims under the Disability\nInsurance (DI) and the Supplemental Security Income (SSI) programs. In accordance\nwith Federal regulations, the DDS in each State performs disability determinations\nunder the DI and SSI programs. The DDS determines claimants\xe2\x80\x99 disabilities and\nensures that adequate evidence is available to support its determinations. SSA\nreimburses the DDS for 100 percent of allowable expenditures.\n\nThere are 54 DDSs located in the 50 States, the District of Columbia, Puerto Rico,\nGuam, and the Virgin Islands. All DDSs are subject to single audit except the federally\nadministered Virgin Islands DDS.\n\nRESULTS OF REVIEW\n\nAnalysis of the 14 SFY 1997 single audit reports disclosed similar DDS findings in the\nfollowing categories: cash management, procurement, equipment and real property\nmanagement, reporting, and allowable costs. The findings relate to DDS\xe2\x80\x99\nnoncompliance with Federal requirements because of weaknesses in internal controls.\nAppendix A summarizes the single audit findings by DDS.\n\nThe OIG audits at the California, Delaware, and Missouri DDSs also disclosed findings\nin the equipment and real property management, and allowable costs areas. These\nfindings also relate to DDS\xe2\x80\x99 noncompliance with Federal requirements because of\nweaknesses in internal controls. Appendix B summarizes the OIG\xe2\x80\x99s findings.\n\nIn our opinion, comparison of the California, Delaware, and Missouri DDS findings in the\nsingle audits and the OIG audits for the same reporting period disclosed significant\ndifferences. The OIG reported findings on unallowable costs, overstated obligations,\ndisbursements recorded in the wrong year, and inadequate computer access controls.\nThe single audits, however, did not report all of these findings. This comparison is\npresented in this report for informational purposes only. We will report our comparison\nto the Federal agencies who are cognizant for the California, Delaware, and Missouri\nsingle audits in separate management letters for any action they deem appropriate.\n\n             SINGLE AUDIT                        OIG ADMINISTRATIVE AUDIT\n           QUESTIONED COSTS ($)                    QUESTIONED COSTS ($)\n\n                    $99,585                               $3,842,472\n\n\n\n\n                                            ii\n\x0cCONCLUSIONS AND RECOMMENDATIONS\n\nThe nature and frequency of the findings, reported in SFY 1997 single audits, require\nSSA\xe2\x80\x99s attention to improve DDS operations. In our opinion, the noncompliance with\nFederal requirements is attributed to SSA\xe2\x80\x99s limited internal control emphasis and\nguidance to DDSs. We believe that SSA should be proactive in providing internal\ncontrol guidance to DDSs. To do so, SSA should provide the following instructions to\nDDSs.\n\n\xe2\x80\xa2   Adhere to the terms of the Cash Management Improvement Act agreement.\n\n\xe2\x80\xa2   Follow procurement instructions established by SSA and the State.\n\n\xe2\x80\xa2\t Obtain discounted services when competitively contracting for consultative\n   examinations (CEs).\n\n\xe2\x80\xa2   Implement controls to prevent unauthorized computer access.\n\n\xe2\x80\xa2\t Develop a formal contingency plan to prevent disruption of services in the event of a\n   disaster.\n\n\xe2\x80\xa2\t Maintain complete and accurate equipment inventory records and perform periodic\n   physical inventories.\n\n\xe2\x80\xa2\t Implement effective procedures for preparing, reviewing, approving and timely\n   reporting of information on the Report of Obligations, the Time Report of Personal\n   Services and the Cost Effectiveness Measurement System Data Reporting Form.\n\n\xe2\x80\xa2\t Ensure that costs charged to SSA benefit the program and are properly authorized\n   and documented.\n\n\xe2\x80\xa2\t Ensure CE fees do not exceed the highest rates paid by Federal or other State\n   agencies for the same or similar types of service.\n\n\xe2\x80\xa2   Adhere to the fees in the State approved CE fee schedule.\n\n\nAGENCY COMMENTS\n\nIn response to our draft report, SSA agreed with all of our recommendations. (See\nAppendix D for the full text of SSA\xe2\x80\x99s comments to our draft report).\n\n\n\n\n                                           iii\n\x0c                           TABLE OF CONTENTS\n\n\n                                                                                                                            Page\n\n\nINTRODUCTION .................................................................................................................1\n\n\nRESULTS OF REVIEW .....................................................................................................4\n\n\n     CASH MANAGEMENT.................................................................................................4\n\n\n    PROCUREMENT...........................................................................................................6\n\n\n     EQUIPMENT AND REAL PROPERTY MANAGEMENT ........................................6\n\n\n          \xef\xbf\xbd    Computer Control ..............................................................................................6\n\n\n          \xef\xbf\xbd    Property Controls...............................................................................................8\n\n\n     REPORTING ..................................................................................................................9\n\n\n          \xef\xbf\xbd    Inaccurate Financial Reports...........................................................................9\n\n\n          \xef\xbf\xbd    Untimely Financial Reports ............................................................................10\n\n\n     ALLOWABLE COSTS ................................................................................................10\n\n\nCOMPARISON OF SINGLE AUDIT AND\n\nOIG FINDINGS ..................................................................................................................12\n\n\nCONCLUSIONS AND RECOMMENDATIONS ...........................................................14\n\n\nAGENCY COMMENTS....................................................................................................15\n\n\nAPPENDICES\n\nAPPENDIX A - Single Audit Findings by State\n\nAPPENDIX B \xe2\x80\x93 Office of Inspector General Administrative Cost Audit Findings\n\nAPPENDIX C - Acronyms\n\nAPPENDIX D - Agency Comments\n\nAPPENDIX E \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\nAPPENDIX F - SSA Organizational Chart\n\n\x0c                             INTRODUCTION\n\n\nOBJECTIVE\nThe objective of this management advisory report was to identify areas of internal\ncontrol weaknesses reported in State Disability Determination Services (DDS) financial\naudits covering State Fiscal Year (SFY) 1997. To accomplish our objective, we\ncompiled and categorized DDS findings reported for 14 States in their SFY 1997 single\naudits. 4 We also included findings reported by the Social Security Administration (SSA),\nOffice of the Inspector General (OIG) in its administrative cost audits at the California,\nDelaware, and Missouri DDSs.5\n\n\n                                        United States\n                                    Single Audit Findings\n\n\n\n\nBACKGROUND\nSingle Audit Act\n\nThe Single Audit Act of 1984 established requirements for audits of States, local\ngovernments, and Indian tribal governments administering Federal financial assistance\nprograms. To implement the requirements, the Office of Management and\nBudget (OMB) issued Circular A-128, \xe2\x80\x9cAudits of State and Local Governments.\xe2\x80\x9d\nCircular A-128 required State and local governments receiving more than $100,000 per\nyear in Federal financial assistance to have an annual financial and compliance audit.\n\n4\n The SFY begins on July 1 and ends on June 30, except for New York, which begins on April 1 and ends\non March 31, while Alabama and Arkansas begins on October 1 and ends on September 30.\n5\nThe California, Delaware, and Missouri OIG audits covered all or part of SFY 1997 DDS operations.\n                                                  1\n\x0cIn 1990, OMB extended the single audit process to non-profit organizations by issuing\nCircular A-133, \xe2\x80\x9cAudits of Institutions of Higher Education and Other Non-Profit\nOrganizations.\xe2\x80\x9d\n\nOn July 5, 1996, the President signed the Single Audit Act Amendments of 1996.6 The\nAmendments extended the statutory audit requirement to non-profit organizations and\nrevised various provisions of the 1984 Act including raising the Federal financial\nassistance dollar threshold for requiring an audit from $100,000 to $300,000. On\nJune 30, 1997, OMB issued revised Circular A-133, \xe2\x80\x9cAudits of States, Local\nGovernments, and Non-Profit Organizations\xe2\x80\x9d to implement the 1996 amendments and\nrescinded Circular A-128.\n\nThe revised Circular A-133 was effective July 1,1996, and applies to audits of\nfiscal years (FY) beginning after June 30, 1996. Nonfederal entities that expend\n$300,000 or more in a year in Federal awards shall have a single or program-specific\naudit conducted for that year.\n\nState Disability Determination Services\n\nThe Disability Insurance (DI) program established in 1954 under title II of the Social\nSecurity Act (Act) (Public Law 96-265) provides benefits to disabled wage earners and\ntheir families. In 1972, Congress enacted title XVI, the Supplemental Security Income\n(SSI) program (Public Law 92-603). Title XVI provides a nationally uniform program of\nincome and disability coverage to financially needy individuals who are aged, blind or\ndisabled.\n\nSSA is responsible for the policies on developing disability claims under the DI and SSI\nprograms. According to Federal regulations, disability determinations under the DI and\nSSI programs are performed by the DDS in each State. The DDS determines\nclaimants\xe2\x80\x99 disabilities and ensures that adequate evidence is available to support its\ndeterminations. SSA reimburses the DDS for 100 percent of allowable expenditures.\n\nThere are 54 DDSs located in the 50 States, the District of Columbia, Puerto Rico,\nGuam, and the Virgin Islands.\n\n\n\n\n6\n The Amendments and revised Circular A-133 apply to all SFY 1997 single audits except the single audit\nof New York. The Single Audit Act and Circular A-128 apply to New York for the period covered by the\naudit.\n\n                                                   2\n\x0cSCOPE AND METHODOLOGY\n\nFrom October 1998 to January 2000, we reviewed 49 SFY 1997 single audit reports\nand Data Collection Forms (SF-SAC)7 to identify DDS findings.8 Of the 49 single audit\nreports, 14 contained DDS findings. We reported the findings and related\nrecommendations on a State-by-State basis to SSA\xe2\x80\x99s Management Analysis and Audit\nProgram Support Staff for audit resolution.\n\nTo develop this report, we reviewed:\n\n     1.\t DDS findings in 14 SFY 1997 single audit reports, the related recommendations,\n         and auditee responses;\n     2.\t SF-SAC completed for 34 SFY 1997 single audits, obtained from\n         http://harvester.census.gov/sac/asp/qryform.asp;\n     3. Single Audit Act of 1984;\n     4. Single Audit Act Amendments of 1996;\n     5. OMB Circular A-128;\n     6. Revised OMB Circular A-133;\n     7. OMB Circular A-133 Compliance Supplement (June 1997 revision);\n     8.\t OMB \xe2\x80\x9cUniform Administrative Requirements for Grants and Cooperative\n         Agreements to State and Local Governments (Common Rule);\xe2\x80\x9d\n     9.\t OMB Circular A-87, \xe2\x80\x9cCost Principles for State, Local and Indian Tribal\n         Governments;\xe2\x80\x9d\n    10. Title II of the Act;\n    11. Title XVI of the Act;\n    12. SSA\xe2\x80\x99s Program Operations Manual System (POMS) instructions;\n    13. Cash Management Improvement Act (CMIA) of 1990;\n    14. SSA\xe2\x80\x99s Systems Security Handbook; and\n    15.\t OIG administrative cost audit reports for the California, Delaware, and Missouri\n         DDSs.9\n\nThe Compliance Supplement identifies 14 types of compliance requirements that\nauditors should consider in performing single audits, of which 6 categories apply to the\nDI and SSI programs. Our review of the single audits identified findings in 5 of the\ncategories: cash management; procurement; equipment and real property\nmanagement; reporting; and allowable costs. This report presents the findings by the\nrelated category identified in the compliance supplement.\n\n\n\n7\n The SF-SAC, required by Circular A-133, provides information about the auditee, its Federal programs,\nand the results of the single audit, including findings identified by the Federal program.\n8\n SFY 1997 single audit reports for Puerto Rico and Washington, DC have not been issued because an\nextension was granted by the Federal cognizant agency. Michigan and North Dakota will issue biennial\nreports covering SFYs 1997 and 1998. The Virgin Islands DDS is not subject to the Single Audit Act\nsince it is federally administered.\n9\n The OIG audits at the California, Delaware, and Missouri DDSs are the only OIG audits covering all or\npart of SFY 1997 DDS operations.\n                                                    3\n\x0c                  RESULTS OF REVIEW\n\n\nAnalysis of the 14 SFY 1997 single audit reports disclosed similar DDS findings in the\nfollowing categories: cash management; procurement; equipment and real property\nmanagement; reporting; and allowable costs. The findings relate to DDS\xe2\x80\x99\nnoncompliance with Federal requirements because of weaknesses in internal controls.\nAppendix A summarizes the single audit findings by DDS.\n\nThe OIG audits at the California, Delaware, and Missouri DDSs also disclosed findings\nin the equipment and real property management, and allowable costs areas. These\nfindings also relate to DDS\xe2\x80\x99 noncompliance with Federal requirements because of\nweaknesses in internal controls. Appendix B summarizes the OIG\xe2\x80\x99s findings.\n\nIn our opinion, comparison of the California, Delaware, and Missouri DDS findings in the\nsingle audits and the OIG audits for the same reporting period disclosed significant\ndifferences. The OIG reported findings on unallowable costs, overstated obligations,\ndisbursements recorded in the wrong year, and inadequate computer access controls.\nThe single audits, however, did not report all of these findings. This comparison is\npresented in this report for informational purposes only. We will report our comparison\nto the Federal agencies who are cognizant for the California, Delaware, and Missouri\nsingle audits in separate management letters for any action they deem appropriate.\n\nCASH MANAGEMENT\n\nSeven single audits disclosed that the State did not adhere to the terms of its CMIA\nagreement:\n\n\xe2\x80\xa2\t The State of Alabama did not use funding techniques specified in the CMIA to\n   request Federal cash draws. The failure to draw funds in accordance with the CMIA\n   caused an increase in the State\xe2\x80\x99s interest liability in an amount not readily\n   determinable by the State Auditor. This finding was also included in the State\xe2\x80\x99s\n   single audit for the prior year.\n\n   In addition, the State of Alabama used incorrect information to develop warrant\n   clearance patterns used for cash draws. The interest liability was not readily\n   determinable by the State Auditor.\n\n\xe2\x80\xa2\t The State of California understated the interest liability due to the Federal\n   Government by a net amount of $388,500. Of this amount, $89,867 was related to\n   SSA funding, caused by the omission of Federal funds advanced to the State for\n   payroll expenditures and incorrect clearance patterns used to calculate cash draws.\n   A similar finding was included in the State\xe2\x80\x99s single audit for the prior year.\n\n\n\n\n                                            4\n\x0c\xe2\x80\xa2\t The State of Colorado\xe2\x80\x99s methodology for identifying the amount and timing of cash\n   draws was not adequate and resulted in cash draws not being executed in\n   accordance with the CMIA.\n\n\xe2\x80\xa2\t The State of Iowa routinely drew Federal funds several days in advance of\n   disbursements. This resulted in $4,980 being paid to the Federal Government for\n   interest charges.\n\n   In addition, the State did not develop written procedures for preparing the CMIA\n   annual report. Also, the beginning cash balances, account numbers, and payroll\n   information used to prepare the CMIA annual report were not adequately verified.\n\n\xe2\x80\xa2\t The State of Oklahoma incorrectly computed cash draws, did not draw funds in\n   accordance with the CMIA, and did not maintain supporting documentation for cash\n   draws.\n\n\xe2\x80\xa2\t The State of Pennsylvania held Federal funds for extended periods of time resulting\n   in material noncompliance with the CMIA. In addition, the State did not calculate the\n   Federal interest liability or include the interest on the CMIA annual report. A similar\n   finding was included in the State\xe2\x80\x99s single audit for the prior year.\n\n\xe2\x80\xa2\t The State of West Virginia did not reconcile the Federal grant cash balances to\n   those of the State Auditor\xe2\x80\x99s Office.\n\nThe Federal Government enacted the CMIA of 1990 to ensure efficiency, effectiveness,\nand equity in transferring funds between the States and Federal Government. The law\nrequires the Federal Government to enter into an agreement with the State covering the\napplicable Federal programs and to establish procedures and requirements for\ntransferring Federal funds.\n\nThe CMIA requires the States to minimize the time elapsing between the receipt and\ndisbursement of Federal funds. The CMIA allows the Federal Government to charge\ninterest when a State receives Federal funds in advance of disbursements. The CMIA\nalso allows the State to charge interest when the State incurs costs for Federal\nprograms before Federal funds are made available. The State must calculate Federal\nand State interest liabilities for each applicable program and report liabilities to the\nFederal Government on the Annual Report to the United States Department of the\nTreasury.\n\nThe lack of cash management controls creates problems in States\xe2\x80\x99 identifying and\nassessing allowable cash needs. In addition, without reasonable assurance that\ninternal controls for Federal cash draws are in place, there could be premature cash\ndraws, which causes the Federal Government to lose interest on the funds.\n\n\n\n\n                                            5\n\x0cPROCUREMENT\n\nThree single audits disclosed weaknesses related to procurements:\n\n\xe2\x80\xa2\t The Arkansas single audit reported disbursements for computer software services in\n   excess of the approved procurement amount by $5,329.\n\n\xe2\x80\xa2\t The State of Colorado did not use competitive\n                                                             FISCAL MANAGEMENT\n   bidding and State-approved contracts to obtain\n   consultative examinations (CEs) from               POMS DI 39542.205 states \xe2\x80\x9cCEs with\n                                                      medical providers using competitively\n   10 vendors. The DDS paid over $1.7 million, or     bid contracts should result in a\n   76 percent of its total CE expenditures to these   substantially   reduced   cost     of\n   10 vendors. Over $1 million was paid to            examinations.\xe2\x80\x9d\n   1 vendor, a medical conglomerate employing\n   25 doctors. In addition, the average cost per medical procedure paid to the\n   conglomerate was about $6 greater, or approximately 6 percent more than the\n   average cost per procedure paid to the other 9 vendors.\n\n\xe2\x80\xa2\t The State of Pennsylvania did not enter into properly prepared and approved written\n   agreements for the purchase of CEs. The state requires a written contract be issued\n   when total payments to an individual provider are greater than $300. Testing by the\n   auditor identified total payments to 3 providers of $64,190; $4,093; and $27,452.\n   However, contracts were not executed with these providers. A similar finding was\n   included in the State\xe2\x80\x99s single audit for the prior year.\n\nThe DDS Management should ensure that procurement instructions are in accordance\nwith POMS, which requires contracts to be obtained through a competitive bidding\nprocess10. Once the contract is awarded, a written agreement should be obtained that:\n(1) defines a sound and complete procurement contract; (2) identifies the parties\ncovered in the contract; and (3) specifies the work to be performed.11\n\nWithout the proper implementation of procurement instructions, issues of acceptable\npractice, conflicts-of-interest, and standards of ethical and moral behavior could be\nquestioned.\n\nEQUIPMENT AND REAL PROPERTY MANAGEMENT\n\nComputer Controls\n\nThree SFY 1997 single audits disclosed weaknesses in computer controls. The\nweaknesses included:\n\n\xe2\x80\xa2\t The State of Alabama did not have a documented contingency plan to be followed in\n   the event of a disaster that adversely affects the data processing operations.\n\n10\n POMS DI 39542.205\n11\n POMS DI 39452.215\n                                             6\n\x0c   In addition, the State did not have adequate security controls to protect mainframe\n   data files from unauthorized users. Policies and procedures related to hiring and\n   training of personnel, protection of\n   data files with security software, and       SSA, OIG, OFFICE OF INVESTIGATIONS\n                                                        INVESTIGATIVE PROJECT\n   changes to programs and migration of\n   programs to production did not exist      An employee was charged with accessing the SSA\n                                             computer system to obtain information on Social\n   or were not formalized in writing,        Security numbers (SSNs) that were given to him by\n   distributed, and enforced.                an accomplice in another State. The employee was\n                                                  paid $20 and $30 for each SSN he provided. The\n                                                  information was then passed on to others who\n\xe2\x80\xa2\t The State of Kentucky did not:                 used it to activate stolen credit cards. The theft\n   (a) develop written policies and               allegedly attributed to the employee\xe2\x80\x99s activities\n   procedures for system security;                totaled at least $307,000. The employee resigned\n                                                  after receiving a proposed termination letter and\n   (b) use formalized security                    pleaded guilty to one count of Conspiracy to\n   authorization procedures to establish,         Commit Credit Card Fraud in violation of 18\n   modify, or revoke system access;               U.S.C.\xc2\xa7029(b)(2).\n   (c) develop written program software\n   modification procedures; and (d) complete all software modifications necessary to\n   ensure Year 2000 compliance. This finding was also included in the State\xe2\x80\x99s single\n   audit for the prior year.\n\n\xe2\x80\xa2\t The State of Pennsylvania had significant weaknesses in the areas of logical access\n   controls, physical access controls, environmental controls, and contingency\n   planning. In addition, manual controls over data input, processing, and output\n   controls were insufficient to compensate for the lack of general controls. A similar\n   finding was included in the State\xe2\x80\x99s single audit for the prior year.\n\nDDSs operate computer systems critical to the administration of SSA\xe2\x80\x99s disability\nprograms. These systems issue payments for administrative expenses, such as CEs\nand contain confidential claimant information including SSNs. SSA requires DDSs to\ndevelop, distribute, and implement a formal computer security policy addressing the\nconfidentiality of sensitive information, data integrity, and authorized access to\ninformation. The DDSs computer security policy should identify computer access\ncontrols to ensure only authorized users access the system. Access controls include\nthe use of personal identification numbers to identify users, passwords to authenticate\nthe user\xe2\x80\x99s identity, and profiles to specify the functions users can perform.\n\nThe SSA\xe2\x80\x99s Systems Security Handbook, dated December 1998, instructs DDSs to\nmake every reasonable effort to avoid disruption of critical applications processed by\nautomated data files and automated information systems (AIS) facilities. Furthermore, a\nDDS must also minimize, and be prepared to recover from any disruption that occurs.\nContingency plans should be documented as a part of a DDS\xe2\x80\x99 overall AIS security\nprogram.\n\nThe OIG administrative cost audit at the California DDS also disclosed weaknesses in\naccess controls over the States\xe2\x80\x99 computer system used to process SSA disability claims\n(See Appendix B).\n\n                                              7\n\x0cAccess controls and contingency planning are essential to the administration of the\ndisability program. Without access controls, the DDS is open to security risks.\nAccidental or intentional modifications to confidential and sensitive information can have\nadverse affects on the quality of services and lead to unauthorized and inaccurate\ndisbursements. The lack of a contingency plan could cause a disruption of DDS claims\nprocessing and result in poor service to disability claimants.\n\nProperty Controls\n\nThe State of Georgia did not maintain proper equipment inventory records. The\nauditors sampled 375 property items totaling $5,094,540 from the Department of\nHuman Resources, which includes the DDS. The following deficiencies were noted:\n\n     \xe2\x80\x94 Thirty-five items totaling $88,479 could not be located.\n\n     \xe2\x80\x94\t Twelve items totaling $56,460 were surplused but not removed from the\n        equipment inventory.\n\n     \xe2\x80\x94\t Six items were found in locations other than the location indicated in the\n        equipment inventory records.\n\n     \xe2\x80\x94 Thirty items did not have decal numbers attached.\n\n     \xe2\x80\x94 Four items contained the wrong decal number.\n\n     \xe2\x80\x94\t Sixteen items totaling $46,992 were identified as missing or stolen, but were not\n        included in the missing or stolen category on the equipment inventory records.\n\nThe State is responsible for the maintenance, tagging, and inventory of all property\nacquired with SSA funding for performing the DDS function.12 Inventory records must\ninclude: (1) a description; (2) source of funds used in the purchase; (3) cost;\n(4) inventory number; (5) date purchased; and (6) physical location.\n\nThe lack of management reviews of inventory for equipment could result in\nmisappropriation or improper disposition of property acquired with Federal awards.\n\n\n\n\n12\n POMS DI 39530.020\n                                              8\n\x0cREPORTING\n\nInaccurate Financial Reports\n\nThe State of Tennessee submitted inaccurate Reports of Obligations. The auditor\nspecifically identified the following:\n\n   \xe2\x80\x94\t Five of 13 disbursement line items, or 38.5 percent, reported for the quarter\n      ended December 31, 1996, were misstated. When the errors were brought to\n      the State\xe2\x80\x99s attention, a revised Report of Obligations was prepared. However,\n      the revised report did not reconcile with information on the State of Tennessee\n      Accounting and Reporting System (STARS).\n\n   \xe2\x80\x94\t Six of 13 disbursement line items, or 46.2 percent, reported for the quarter ended\n      September 30, 1996, were misstated, and the report\xe2\x80\x99s totals were not\n      mathematically accurate.\n\n   \xe2\x80\x94\t Two of 9 disbursement line items, or 22.2 percent, reported on the Computation\n      of Medical Assistance Only Costs Attachment to the Report of Obligations for the\n      quarter ended December 31, 1996, were understated by $2,077.\n\n   In addition, the State of Tennessee also reported problems with Cost Effectiveness\n   Measurement System (CEMS) Data Reporting. SSA developed CEMS to measure\n   the costs of operating each DDS. CEMS also provides a methodology for\n   determining the relative cost-effectiveness of each DDS.\n\n   \xe2\x80\x94\t An unreconcilable difference of $2,793,412 was noted between the total\n      expenditures on the CEMS reports and the total claimed obligations on the\n      Report of Obligations for the Federal Fiscal Year (FFY) ended\n      September 30, 1996.\n\n   \xe2\x80\x94\t The CEMS Data Reporting Form for the quarter ended December 31, 1996, did\n      not reconcile to STARS or to the employee time and attendance reports. The\n      Data Validation Form was used to prepare the CEMS report. However, the Form\n      contained 23 edit checks that questioned the validity and reasonableness of the\n      numbers contained in the report, which were apparently ignored. The regular\n      pay amount on the CEMS report was understated by $361,657, and overtime pay\n      was understated by $28,796. Furthermore, hearing officers\xe2\x80\x99 regular pay and\n      vocational specialists\xe2\x80\x99 regular pay were overstated by $13,932 and $597,\n      respectively. Other costs were overstated by $280,040.\n\nAt the end of each FFY quarter, the DDS submits to SSA a Form SSA-4513 (Report of\nObligations) and Form SSA-4514 (Time Report of Personal Services). The Report of\nObligations shows DDS disbursements, unliquidated obligations, and cumulative\nobligations for personal services, medical costs, indirect costs, and all other\nnonpersonnel costs. The Time Report of Personal Services shows the regular and\novertime hours worked by DDS personnel on SSA disability determinations.\n\n                                           9\n\x0cThe inaccuracies on the Reports of Obligations and CEMS reports indicate an internal\ncontrol weakness in the DDS\xe2\x80\x99 preparation, review, and approval of these reports prior to\nsubmitting them to Federal officials. Without the proper mechanisms in place to identify\nrisks of faulty reporting caused by such items as lack of knowledge, inconsistent\napplication, carelessness or disregard for standards, reliable processing of Federal\nawards would not be performed.\n\nUntimely Financial Reports\n\nThe State of New York did not submit the                POMS DI 39506.815 instructs DDSs to\n                                                        submit the Report of Obligations and\nquarterly Time Report of Personal Services to           the Time Report of Personal Services\nSSA within the required timeframe. The State                            th\n                                                        to SSA by the 25 day after the close\nindicated that the timeframes for submission and        of each quarter. However, in a letter\nreview of audit staff time cards do not generally       dated October 22, 1992, SSA extended\npermit collection and compilation of time data          the DDS\xe2\x80\x99 due date for these forms to\n                                                              th\n                                                        the 30 day after the close of each\nneeded to complete the report prior to the              quarter.\nreporting deadline. Late submission of this\nfinancial report indicates an internal control\nweakness in the DDS\xe2\x80\x99 procedures for timely reporting of information to SSA. This\nfinding was also included in the State\xe2\x80\x99s single audit for the prior year.\n\nThe DDSs are instructed to simultaneously submit the Report of Obligations and the\nTime Report of Personal Services to SSA by the 30th day after the close of each\nquarter. Without accurate, timely reporting, DDS obligations and expenditures cannot\nbe traced and accounted for each FY.\n\nALLOWABLE COSTS\n\nFive single audits did not have adequate internal controls over allowable costs:\n\nThe State of Colorado did not regularly                           CE FEES\nreview or evaluate the fees used to pay\nphysicians for CEs to ensure fees reflect          States   are   required    by   POMS\n                                                   DI 39545.210   to    develop a fee\ncurrent rates and do not exceed the highest        schedule that will be used by the DDS\nrates paid by Federal or other State agencies      for payment of CEs. The DDS will\nfor the same or similar types of service. Also,    consider the fee schedule as a\nthe DDS did not always follow the State            maximum        payment       schedule.\napproved fee schedule. Fees were adjusted          Authorized payments will represent\n                                                   the lower of the provider\xe2\x80\x99s usual and\nbased on limited physician availability in         customary charge, or the maximum\nsome geographic areas and physician                allowable charge under the fee\nspecialization. In addition, individual            schedule and should not exceed the\nnegotiations were made with physicians             highest rate paid by Federal or other\nresulting in 2 different physicians in the same    agencies in the State for the same or\n                                                   similar     types      of      service.\narea receiving different fees for the same         Documentation to support rates paid\nprocedure.                                         to providers must be maintained.\n\n\xe2\x80\xa2   The State of Massachusetts did not reconcile its advance checking account. The\n    State could not determine the source of $2,200 included in the account. In addition,\n                                             10\n\x0c   proper segregation of duties did not exist since the same employee was responsible\n   for reconciling the account, preparing checks for signature, and recording the\n   transactions in the check register.\n\n\xe2\x80\xa2\t The State of Missouri did not transmit DDS related refunds to the Department of\n   Revenue for deposit on a timely basis. The State\xe2\x80\x99s policy requires refund checks to\n   be transmitted when receipts total $1,000 or at least once per week. The auditor\n   noted numerous instances where individual refund checks exceeding $1,000 were\n   not transmitted in accordance with this policy.\n\n\xe2\x80\xa2\t The State of New York entered incorrect codes into the Payroll Allocation Cost\n   System which resulted in the inaccurate reporting of indirect costs. A similar finding\n   was included in the State\xe2\x80\x99s single audit for the prior year.\n\n   In addition, the State did not complete voucher reviews to monitor costs claimed by\n   training contractors or conduct presettlement reviews of current expenditures or prior\n   period adjustments to ensure the claims were made for allowable costs. A similar\n   finding was included in the State\xe2\x80\x99s single audit for the prior year.\n\n\xe2\x80\xa2\t The State of Oklahoma did not maintain documentation of the assigned pay grade\n   and step in an employee\xe2\x80\x99s payroll file. The auditors could not determine if the\n   employee\xe2\x80\x99s salary was in accordance with the State\xe2\x80\x99s salary schedule and reported\n   a questioned cost of $4,389.\n\nThe OIG administrative cost audits for California, Delaware, and Missouri DDSs also\ndisclosed weaknesses in the area of allowable costs (See Appendix B).\n\nAllowable costs must be reasonable and necessary for the performance and\nadministration of Federal awards as stated in OMB Circular A-87. A cost is allocable to\na program or department if the goods or services involved are charged or assigned to\nsuch cost objective in accordance with benefits received. A cost may not be assigned\nto a Federal award as a direct cost if any other cost incurred for the same purpose was\nallocated to the Federal award as an indirect cost. In order to recover indirect costs, the\norganization must prepare cost allocation plans, which apply to States or indirect cost\nrate proposals in accordance with the guidelines provided in OMB\xe2\x80\x99s circulars. Costs\nmust be net of all applicable credits that result from transactions that reduce or offset\ndirect or indirect costs.\n\nInternal control directives require that nonfederal entities receiving Federal awards\nestablish and maintain internal controls designed to reasonably ensure compliance with\nFederal laws, regulations and program compliance requirements. Transactions should\nbe properly recorded, accounted for, and executed in compliance with applicable laws\nand regulations. The DDS is required to maintain supporting documentation listing\nallowable and unallowable expenditures and adjustments for unallowable costs\nrecorded. Also, funds, property, and other assets should be safeguarded against loss\nfrom unauthorized use or disposition.\n\n\n                                             11\n\x0cThe absence of cost principles for goods and services charged to Federal awards\nallows the risk for misappropriation or misuse of funds. In addition, unallowable\nactivities or costs could be charged to a Federal program and go undetected if the\nproper internal controls are not in place. These controls need to be in place to ensure\nthat costs benefit the program and are properly authorized and documented.\n\nCOMPARISON OF SINGLE AUDIT AND OIG FINDINGS\n\nThe SSA\xe2\x80\x99s OIG performs DDS administrative cost audits each year at the request of\nSSA\xe2\x80\x99s Office of Disability. The objectives of the audits are to determine whether:\n(1) expenditures and obligations are properly authorized and disbursed; (2) Federal\nfunds drawn agree with total expenditures; and (3) internal controls over the accounting\nand reporting of administrative costs are adequate.\n\nThe OIG performed two administrative cost audits, California and Delaware, covering\nSFY 1997 DDS operations. An administrative cost audit was also performed at the\nMissouri DDS for FFYs 1995 and 1996. Although the administrative cost audit is\noutside the period covered by our review, it was noted that conditions found in\nFFY 1996 continued to exist in FFY 1997.\n\nThe comparison of the single audit findings and OIG findings disclosed notable\ndifferences. The findings reported by OIG but not the single audits are discussed\nbelow.\n\nCalifornia DDS\n\nThe OIG administrative cost audit at the California DDS covered the period July 1994\nthrough April 1998.13 The audit identified overstated obligations of $3,789,128 because:\n(1) unallowable indirect costs for activities that were incorrectly charged to the\ndepartmental indirect cost pool; (2) ineligible personnel and other costs for activities that\ndid not benefit SSA\xe2\x80\x99s programs; and (3) access controls over the States\xe2\x80\x99 computer\nsystem for processing SSA disability claims needed improvement (See Appendix B).\n\nDelaware DDS\n\nThe OIG administrative cost audit at the Delaware DDS covered the 3-year period and\nended September 30, 1997.14 The Delaware DDS had: (1) incorrect expense payment\nvouchers totaling $11,348 that were erroneously paid with the incorrect FY funds;\n(2) nonpersonnel costs of $41,933 not supported by documentation; and (3) a payment\nvoucher for a CE was overpaid by $62.50 (See Appendix B).\n\n\n\n\n13\n Common Identification Number (CIN): A-09-97-51006\n\n14\n CIN: A-13-98-52015\n                                              12\n\x0cMissouri DDS\n\nThe OIG administrative cost audit at the Missouri DDS covered FFYs 1995 and 1996.15\nAlthough the administrative cost audit is outside the period covered by our review, it\nwas noted that conditions found in FFY 1996 continued to exist in FFY 1997. A\ndisbursement in the amount of $5,000 from FY 1997 was incorrectly recorded in\nFY 1996 (See Appendix B).\n\n\n\n\n15\n CIN: A-07-97-51006\n                                          13\n\x0c  CONCLUSIONS AND RECOMMENDATIONS\n\n\nThe analysis of the 14 SFY 1997 single audit reports disclosed similar DDS findings in\nthe cash management, procurement, equipment and real property management,\nreporting, and allowable costs areas. In addition, OIG\xe2\x80\x99s audits at the California,\nDelaware, and Missouri DDSs reported additional findings.\n\nThe nature and frequency of the findings require SSA\xe2\x80\x99s attention to improve DDS\noperations. The noncompliance with Federal requirements, in our opinion, is attributed\nto SSA\xe2\x80\x99s limited internal control emphasis and guidance to DDSs.\n\nSSA should be proactive in providing internal control guidance to DDSs. To do so, SSA\nshould provide the following instructions to the DDSs.\n\n1. Adhere to the terms of the CMIA agreement.\n\n2. Follow procurement instructions established by SSA and the State.\n\n3. Obtain discounted services when competitively contracting for CEs.\n\n4. Implement controls to prevent unauthorized computer access.\n\n5.\t Develop a formal contingency plan to prevent disruption of services in the event of a\n    disaster.\n\n6.\t Maintain complete and accurate equipment inventory records and perform periodic\n    physical inventories.\n\n7.\t Implement effective procedures for preparing, reviewing, approving and timely\n    reporting of information on the Report of Obligations, the Time Report of Personal\n    Services and the CEMS Data Reporting Form.\n\n8.\t Ensure that costs charged to SSA benefit the program and are properly authorized\n    and documented.\n\n9.\t Ensure CE fees do not exceed the highest rates paid by Federal or other State\n    agencies for the same or similar types of service.\n\n10. Adhere to the fees in the State approved CE fee schedule.\n\n\n\n\n                                           14\n\x0cAGENCY COMMENTS\n\nIn response to our report, SSA agreed with all of our recommendations. (See Appendix\nD for the full text of SSA\xe2\x80\x99s comments to our report).\n\nIn its general comments to the report, SSA expressed concerns regarding the\ncomparison of the results of the single audits and the OIG administrative cost audits.\nSpecifically, SSA does not believe that the comparison should be reported to the\nFederal agencies cognizant for the California, Delaware and Missouri single audits\nsince the States have already received and commented on OIG\xe2\x80\x99s administrative cost\naudit findings.\n\nWe are reporting the results of our comparison of the single audits and the OIG\nadministrative cost audits to the cognizant Federal agencies for the purpose of providing\ninformation that will improve the quality of the single audits conducted on SSA\xe2\x80\x99s\nprograms. We continue to believe that the differences identified in our comparison of\nthe single audits and the OIG administrative cost audits warrant the attention of the\ncognizant Federal agencies. Furthermore, we hope that the cognizant Federal\nagencies share the results of the comparison with the non-Federal auditors.\n\n\n\n\n                                           15\n\x0cAPPENDICES\n\n\x0c                                                                                 APPENDIX A\n\n\n\n      SINGLE AUDIT FINDINGS BY STATE\n\n          STATE FISCAL YEAR 1997\n\n\nSTATE                 SINGLE AUDIT FINDINGS ON                                  QUESTIONED\n DDS             DISABILITY DETERMINATION SERVICES                               COSTS ($)\n        1.   Funds were not drawn in accordance with funding techniques\n             specified in the Cash Management Improvement Act (CMIA)\n                                                                                            0\n             Treasury/State agreement.\n                                                                                            0\n        2.   Incorrect information was used in developing warrant\n             clearance patterns to be used for cash draws.\n AL\n        3.   There was no formal contingency plan, which includes\n             policies and procedures to be followed in the event of a\n                                                                                            0\n             disaster that adversely affects the operations of its data\n             processing center.\n                                                                                            0\n        4.   Security controls over data processing were inadequate.\n AK                             No Findings Reported                                        0\n AZ                             No Findings Reported                                        0\n             Disbursements for computer software services were in\n AR\n             excess of the approved procurement amount by $5,329.                   $    5,329\n             Noncompliance with Federal regulations on the default\n             procedures required by the Federal Government when\n CA          implementing the CMIA resulted in the State\xe2\x80\x99s interest liability\n             being understated by $388,500 of which $89,867 was Social\n                                                                                        89,867\n             Security Administration\xe2\x80\x99s portion.\n        1.   The methodology for identifying cash draws was not\n             adequate.                                                                      0\n\n        2.   Procedures for purchasing consultative examinations (CE)\n CO\n             including using competitive bidding, reviewing the fee\n             schedule, standardizing procedures for rate adjustments, and\n             ensuring compliance with Federal and State regulations were                    0\n             not developed.\n CT                             No Findings Reported                                        0\n\n DC                 Single Audit Not Issued (Extension Granted)                             0\n\n DE                             No Findings Reported                                        0\n FL                             No Findings Reported                                        0\n\n\n\n\n                                              A-1\n\n\x0c                                                                           APPENDIX A\n\n\n          Inventory of equipment was not maintained in accordance with\n          provisions of Office of Management and Budget\xe2\x80\x99s Uniform\nGA                                                                                  0\n          Administrative Requirements and the State Property\n          Management System Manual.\nGU                          No Findings Reported                                    0\nHI                          No Findings Reported                                    0\nID                          No Findings Reported                                    0\n\nIL                          No Findings Reported                                    0\n\nIN                          No Findings Reported                                    0\n     1.   Federal funds were routinely drawn in advance of\n          disbursements.                                                            0\n\n     2.   Internal controls were not in place to ensure the accuracy of\nIA\n          the CMIA annual report.                                                   0\n\n     3.   Controls were not in place over the administration of the CMIA\n          Agreement.                                                                0\nKS                          No Findings Reported                                    0\n     1.   Written policies and procedures were not developed for\n          system security.\n                                                                                    0\n     2.   Use of a formalized security authorization procedures to\n          establish, modify or revoke system access were not\n          implemented.                                                              0\nKY\n     3.   Written program software modification procedures were not                 0\n          developed.\n                                                                                    0\n     4.   Software modifications were not developed for Year 2000\n          compliance.\nLA                          No Findings Reported                                    0\nME                          No Findings Reported                                    0\n\nMD                          No Findings Reported                                    0\n\n          Adequate internal controls were not in place over the advance\nMA\n          checking account.                                                         0\n\nMI                 Single Audit Not Issued (Biennial Audit)                         0\nMN                          No Findings Reported                                    0\nMS                          No Findings Reported                                    0\n\n          Funds were not transmitted to the Department of Revenue for\nMO\n          deposit on a timely basis.                                                0\n\nMT                          No Findings Reported                                    0\nNE                          No Findings Reported                                    0\n\n\n\n\n                                          A-2\n\n\x0c                                                                          APPENDIX A\n\n\nNV                          No Findings Reported                                     0\n\nNH                          No Findings Reported                                     0\n\nNJ                          No Findings Reported                                     0\n\nNM                          No Findings Reported                                     0\n     1.   Incorrect codes were entered into the Payroll Allocation Cost\n          System whereby recording inaccurate indirect costs under the\n                                                                                     0\n          Cost Allocation Plan.\n\n     2.   The Department did not follow procedures in conducting\n                                                                                     0\n          presettlement reviews.\nNY\n     3.   Procedures were not followed for conducting voucher reviews\n                                                                                     0\n          to monitor training costs.\n\n     4.   Quarterly Time Reports of Personal Services (SSA-4514) were\n                                                                                     0\n          not submitted timely.\nNC                          No Findings Reported                                     0\nND                 Single Audit Not Issued (Biennial Audit)                          0\nOH                          No Findings Reported                                     0\n     1.   Cash draws incorrectly computed, funds were not drawn in\n          accordance with the CMIA agreement and supporting\n          documentation for cash draws was not maintained.\n                                                                                     0\nOK\n     2.   Documentation was not maintained for an employee\xe2\x80\x99s\n          assigned pay grade or step, resulting in questioned costs of\n                                                                              $   4,389\n          $4,389.\nOR                          No Findings Reported                                     0\n     1.   State contracting and procurement standards were not\n          adhered to when purchasing CEs.\n                                                                                     0\n     2.   General controls over the Disability Determination Services\n          computer system needs to be strengthened.\n                                                                                     0\nPA\n     3.   Funds drawn for employee payroll tax and benefits were held\n          for an extended period of time resulting in a material\n          noncompliance with cash management standards and an\n          undetermined amount of interest liability due to the Federal\n                                                                          Undetermined\n          Government.\nPR               Single Audit Not Issued (Extension Granted)                         0\nRI                          No Findings Reported                                     0\nSC                          No Findings Reported                                     0\n\nSD                          No Findings Reported                                     0\n\n\n\n\n                                         A-3\n\n\x0c                                                                     APPENDIX A\n\n\n     The Report of Obligations and the Cost Effectiveness\nTN   Measurement System Data Reporting form contained\n                                                                              0\n     numerous mathematical errors and misstatements.\n\nTX                     No Findings Reported                                   0\n\nUT                     No Findings Reported                                   0\n\nVI                   Single Audit Not Required                                0\n\nVT                     No Findings Reported                                   0\n\nVA                     No Findings Reported                                   0\nWA                     No Findings Reported                                   0\n     Cash balances were not reconciled to those of the State\nWV   Auditor\xe2\x80\x99s Office; therefore, existing financial data by grant\n                                                                              0\n     may not be accurate.\nWI                     No Findings Reported                                   0\n\nWY                     No Findings Reported                                   0\n\n\n                                        Total Questioned Costs          $99,585\n\n\n\n\n                                     A-4\n\n\x0c                                                                 APPENDIX B\n\n\n\n OFFICE OF THE INSPECTOR GENERAL\n\nADMINISTRATIVE COST AUDIT FINDINGS\n\n\nSTATE        OFFICE OF THE INSPECTOR GENERAL                   QUESTIONED\n DDS                     FINDINGS ON                            COSTS ($)\n             DISABILITY DETERMINATION SERVICES\n\n        1. Unallowable indirect costs were claimed for\n           activities that were incorrectly charged to the\n           departmental indirect cost pool.\n                                                                  $3,580,673\n        2. Personnel and other costs for activities that did\n           not benefit the Social Security Administration\xe2\x80\x99s\n CA\n           programs were incorrectly claimed in the\n                                                                    208,455\n           amount of $208,455.\n\n        3. Access controls over the States\xe2\x80\x99 computer\n           system used to process SSA disability claims\n                                                                            0\n           needed improvement.\n        1. Incorrect expense payment vouchers totaling\n           $11,348 were erroneously paid with the\n           incorrect fiscal year (FY) funds.\n                                                                     11,348\n        2. There was no documentation to support\n           nonpersonnel costs of $41,933.\n DE                                                                  41,933\n        3. A Consultative Examination (CE) payment was\n           made for an incorrect amount.                                 63\n\n        4. CE payments were made with incorrect FY\n           funds.                                                       821\n\n           A disbursement in the amount of $5,000 from\n           the FY 1997 account was incorrectly recorded\n MO        in the financial management system as a\n                                                                            0\n           FY 1996 allotment account draw.\n\n\n\n                                    Total Questioned Costs        $3,842,472\n\x0c                                                APPENDIX C\n\n\n\n          ACRONYMS\n\n\n\n AIS    Automated Information Systems\n\n CE     Consultative Examination\n\nCEMS    Cost Effectiveness Measurement System\n\nCMIA    Cash Management Improvement Act\n\nDDS     Disability Determination Services\n\n DI     Disability Insurance\n\n FFY    Federal Fiscal Year\n\n FY     Fiscal Year\n\n OIG    Office of the Inspector General\n\nOMB     Office of Management and Budget\n\nPOMS    Program Operations Manual System\n\n SFY    State Fiscal Year\n\n SSA    Social Security Administration\n\n SSI    Supplemental Security Income\n\n        State of Tennessee Accounting and\nSTARS\n        Reporting System\n\x0c                   APPENDIX D\n\n\n\nAGENCY COMMENTS\n\n\x0cCOMMENTS OF THE SOCIAL SECURITY ADMINISTRATION (SSA) ON THE\nOFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT REPORT, "REVIEW OF\nSTATE FISCAL YEAR 1997 SINGLE AUDIT FINDINGS\xe2\x80\x9d (A-07-99-84007)\n\nWe appreciate the opportunity to comment on the draft report.\nFollowing are our comments on the recommendations.\n\nOIG Recommendation 1\n\nSSA should instruct the DDSs to adhere to the terms of the Cash\nManagement Improvement Act (CMIA) agreement.\n\n\nSSA Comment\n\nWe agree with the intent of this recommendation and will issue a\nDDS Administrators Letter within 90 days reminding the States to\nadhere to the terms of their CMIA agreements with the Department\nof Treasury.\n\n\nOIG Recommendation 2\n\nSSA should instruct the DDSs to follow procurement instructions\nestablished by SSA and the State.\n\n\nSSA Comment\n\nWe agree and will issue a DDS Administrators Letter within 90\ndays, reminding the States to follow appropriate procurement\ninstructions established by SSA and the State.\n\n\nOIG Recommendation 3\n\nSSA should instruct the DDS to obtain discounted services when\ncompetitively contracting for consultative examinations (CEs).\n\nSSA Comment\n\nWe agree and will issue a DDS Administrators Letter within 90\ndays, reminding the States to obtain discounted services when\ncompetitively contracting for CEs.\n\n\n\n\n                               D-2\n\x0cOIG Recommendation 4\n\nSSA should instruct the DDSs to implement controls to prevent\nunauthorized computer access.\n\n\nSSA Comment\n\nWe agree. On May 25, 1999, SSA issued a Regional Commissioners\nMemorandum and DDS Administrators Letter regarding DDS systems\nsecurity.\n\n\nOIG Recommendation 5\n\nSSA should instruct the DDSs to develop a formal contingency\nplan to prevent disruption of services in the event of a\ndisaster.\n\n\nSSA Comment\n\nWe agree. SSA is reviewing existing instructions governing the\nfederal/state relationship and will revise instructions, where\nappropriate, regarding physical security requirements for the\nDDSs. We expect that a formal contingency plan will be\ndeveloped by May 2001.\n\n\nOIG Recommendation 6\n\nSSA should instruct the DDSs to maintain complete and accurate\nequipment inventory records and perform periodic physical\ninventories.\n\n\nSSA Comment\n\nWe agree and will issue a DDS Administrators Letter within 90\ndays reminding the States to maintain complete and accurate\nequipment inventory records and perform periodic physical\ninventories.\n\n\n\n\n                               D-3\n\x0cOIG Recommendation 7\n\nSSA should instruct the DDSs to implement effective procedures\nfor preparing, reviewing, approving, and timely reporting of\ninformation on the Report of Obligations, the Time Report of\nPersonal Services, and the Cost Effectiveness Measurement System\nData Reporting Form.\n\n\nSSA Comment\n\nWe agree. On July 10, 2000, as a result of OIG\'s Final Report\n\xe2\x80\x9cReview of State Fiscal Year 1996 Single Audit Findings\xe2\x80\x9d\n(A-07-98-71002), SSA issued a note to the Regional Offices\xe2\x80\x99\nCenter for Disability Directors to remind the DDSs to implement\neffective procedures for preparing, reviewing, approving, and\ntimely reporting of information on the Report of Obligations and\nthe Time Report of Personal Services.\n\nAs a result of this SFY 1997 audit, SSA will issue a DDS\nAdministrators Letter within 90 days as an additional reminder.\n\n\nOIG Recommendation 8\n\nSSA should instruct the DDSs to ensure that costs charged to SSA\nbenefit the program and are properly authorized and documented.\n\n\nSSA Comment\n\nWe agree and will issue a DDS Administrators Letter within 90\ndays reminding the States to ensure that costs charged to SSA\nbenefit the program, and are properly authorized and documented.\n\n\nOIG Recommendation 9\n\nSSA should instruct the DDSs to ensure CE fees do not exceed the\nhighest rates paid by Federal or other State agencies for the\nsame or similar types of services.\n\n\nSSA Comment\n\nWe agree and will issue a DDS Administrators Letter within 90\ndays reminding the States to ensure CE fees do not exceed the\n\n\n\n\n                               D-4\n\x0chighest rates paid by Federal or other State agencies for the\nsame or similar types of services.\n\n\nOIG Recommendation 10\n\nSSA should instruct the DDSs to adhere to the fees in the State\napproved CE fee schedule.\n\n\nSSA Comment\n\nWe agree and will issue a DDS Administrators Letter within 90\ndays reminding the States to adhere to the fees in the State\napproved CE fee schedule.\n\n\nGeneral Comments\n\nWe have concerns regarding the comparison of the single audits\nand OIG\'s DDS administrative cost audit findings in this draft\nreport. Specifically, OIG\xe2\x80\x99s statement on page 12, \xe2\x80\x9cThe\ncomparison of the single audit findings and OIG findings\ndisclosed notable differences." The differences in the two\ntypes of audits may be explained in the POMS Section 39554.210,\nwhich states that OIG audits are intended to \xe2\x80\x9c\xe2\x80\xa6build upon the\nwork already done by the State in the audit conducted under the\nOffice of Management and Budget Circular A-128 provisions.\xe2\x80\x9d\n\nBased on the POMS reference above, we question OIG\xe2\x80\x99s statement\nin the draft report on page ii that \xe2\x80\x9cWe will report our\ncomparison [of the single audit report findings and OIG\xe2\x80\x99s report\nfindings] to the Federal agencies who are cognizant for the\nCalifornia, Delaware and Missouri single audits in separate\nmanagement letters for any action they deem appropriate.\xe2\x80\x9d Since\nthe States have already received and acted upon OIG\xe2\x80\x99s\nfindings/recommendations resulting from the OIG audits, we\nbelieve that further contact with the States is unnecessary.\n\n\n\n\n                               D-5\n\x0c                                                                         APPENDIX E\n\n\n\n              OIG CONTACTS AND\n\n           STAFF ACKNOWLEDGMENTS\n\n\nOIG Contacts\n\n   Roger Normand, Director, Disability Program Audit Division, (617)-565-1822\n\n   Mark Bailey, Deputy Director, (816) 936-5591\n\nAcknowledgements\n\nIn addition to those named above:\n\n   Shannon Agee, Auditor\n\n   Wanda Craig, Auditor\n\n   Cheryl Robinson, Writer-Editor\n\nFor additional copies of this report, please contact Office of the Inspector General\xe2\x80\x99s\nPublic Affairs Specialist at (410) 966-5998. Refer to Common Identification Number\nA-07-99-84007.\n\x0c                        APPENDIX F\n\n\n\nSSA ORGANIZATIONAL CHART\n\n\x0c'